HTTPS certificates

Print Friendly, PDF & Email

This is for a RHEL/CentOS 6.6 machine.

There isn’t a genkey command, but in /etc/pki/tls/certs/ there is a Makefile that seems to do what we want:

make usage

prints some helpful and encouraging messages. Since I want to set up HTTPS to this machine and it uses apache, I did:

make genkey

Hmph. That says there’s nothing to be done. Okay, so maybe the keys already exist (were created when this server was set up), but I need to generate a certificate request. So:

make certreq

Aha, that prompts me for a number of fields:

Country Name:US
State or Province Name:Massachusetts
Locality Name:Wellesley
Organization Name:Wellesley College
Organizational Unit:Computer Science
Common Name:studentorgs.wellesley.edu
Email Address:someone@wellesley.edu

The only one that gave me any pause was the Common Name, but apparently that’s the fully qualified domain name of the server. I found this site helpful: http://www.rackspace.com/knowledge_center/article/generate-a-csr-with-openssl

That created a file in the local directory called localhost.csr.

I copy/pasted that into the box on the form on the website of the cert authority that Tim Cantin said we have a contract with, and clicked “get common name from CSR” and it complained that the public key size has to be a minimum of 2048 bits. Apparently the Makefile that RHEL/CentOS comes with is less than that. Back to the drawing board:

Referencing this website: http://tecadmin.net/simple-steps-to-generate-csr-on-centos/ and http://wiki.centos.org/HowTos/Https. I went back to the server and its /etc/pki/tls/certs/ directory and did:

openssl genrsa -out studentorgs.key 2048

That generates the private key. Then I did

openssl req -new -key studentorgs.key -out studentorgs.csr

That prompts for the same info as above and creates the CSR file.

I then copy/pasted that into the Cert Authority’s web form and that worked!

Soon thereafter, I got a response from the Cert Authority with two links to download:

as X509 Certificate only, Base64 encoded: <link to download domain_cert.cer>
as X509 Intermediates/root only, Base64 encoded:  <link to download domain_interm.cer>

Copy both of those files to the /etc/pki/tls/certs directory on the server. Edit the /etc/httpd/conf.d/ssl.conf file and make the full pathname to the cert.cer file the value of SSLCertificateFile and the other the value of SSLCertificateChainFile

Note that the full pathname to domain.key should be the value of SSLCertificateKeyFile

restart Apache and you’re done!

About CS SysAdmins

The CS Department System Administrators
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *